2.9 Million citizens data exposed; Company failed General Data Protection Regulation

Half of Norway's healthcare data was involved in a recent breach of which Norway has been criticized for the delay in notification to exposed population.

healthcare data breach in Norway.png

The EU's General Data Protection Regulations (GDPR) has been set for companies to be in compliance by May 25, 2018. This failure to report promptly may serve as a wake-up call for organizations becoming compliant to standard. 

Health South-East RHF, a healthcare organization that manages nine units of Norway's 18 counties, reported the data breach on January 15, 2018. Unfortunately, the incident was discovered on January 8, which means that Health South-East RHF failed to meet the 72 hour notification requirement under GDPR.  Suspicious traffic coming from Health South-East's computer network was identified and investigated to reveal evidence of a severe data breach, reports Bleeping Computer.

Norwegian health authorities have yet to confirm whether the cyber attackers were able to access and exfiltrate personal healthcare data. Cyber criminals attack healthcare data as a popular target because it provides all the necessary details for ID theft and related fraudulent activity. 

e-End operates a secure facility in Frederick, MD,  specializes in destroying a wide variety of classified data and various controlled devices. This includes destruction of data containing hard drives, destruction of ITAR controlled devices, IT equipment and tactical military devices. They routinely destroy body armor that has reached the end of its certified period of use.